WIFI4EU will not be "free"

Paris, 26 October 2017 — Yesterday, the EU officially signed the WIFI4EU Regulation, intended to promote Internet connectivity in local communities. By ignoring the open letter of the European open-Wifi community, this Regulation undermines the telecom ecosystem diversity. It dismisses the promotion of non-profit Internet Service Provider and enforces an authentication mechanism, forbidding what could have been free and open WiFi hotspots.

The European Commission's WIFI4EU inital proposal of September 2016 established the goal of developing Internet access in under-served areas by inciting local authorities to provide free WIFi hotspots. The European Parliament made some useful amendments, especially by calling for the promotion of non-profit ISPs. After six months of negotiations, it gave in to almost all of the dangerous propositions pushed by European governments. Thus, operators willing to benefit from the WIFI4EU funds will have to comply with requirements contradictory to the idea of free and open networks.

Authentication system

The future WIFI4EU hotspots will force users to authenticate in order to access the Internet. Regulating access to public networks is not backed by any substantial reasoning or impact assessment. The EU entirely ignored the inefficiency of such authentication systems: hotspot providers have no legal power to require users official identity. However, identifying all users has become obsolete since the CJEU stated that generally retaining all users' traffic data would breach the European Charter of Fundamental Rights1. EU law states that ISPs may only be compelled to retain traffic data related to a targeted individual2.

Furthermore, the Parliament and Member States easily agreed on the promotion of a single sign-on system used across the EU. But their accordance didn't lead to better regulation: it is neither clear if a public or private service will operate the authentication system, nor who will have access to its database. In this trade-off, the future WIFI4EU users' right to privacy is critically compromised, especially as the authentication requirement is imposed by state and for publicly funded services. With regard to the obligation for users to reveal their identity, as it is the case in most EU member states for the use of prepaid SIM cards, the European Court of Human Rights already questions this practice.

Data retention and traffic data

During those negotiations, the European Parliament has at least prevented future WIFI4EU-users from being targeted by commercial surveillance. Publicly-funded networks may not be used to monitor users' traffic data. Unfortunately, this does not prevent national law from imposing a general obligation to retain users' data on open-WiFi providers, despite the clear CJEU rulings on the matter3.

Community networks and SMEs

In order to foster diversity in the telecom sector, the Parliament tried to involve non-profit ISPs as potential beneficiaries of WIFI4EU funding. In the same way, local SMEs might have been promoted as key beneficiaries for the procurement and installation of equipments4. But the final agreement with Member States failed to address such improvements: the explicit call to promote the economic fabric of non-profit community networks, already providing open wireless connectivity with little or no public support, was erased. Therefore, WIFI4EU missed the chance to promote local employment, to spread technical skills and to diversify the telecoms sector. Instead, dominant players will reap most of the WIFI4EU subsidies.

The WIFI4EU Regulation lacks any ambition to establish a real "free" (as in freedom, not as in "free beers") and EU-wide WiFi access. Free access requires both anonymous access to the Internet and decentralised networks owned by those who run them. Favoring the usual suspects for the deployment of WIFI4EU hotspots will not solve the problem of unequally allocated connectivity and will inhibit innovation. This alarming and absurd trend reflects perfectly Member States' general policy direction undermining the safeguard of public interest in the telecom sector.

1. CJEU ruling Tele2 Sverige AB (C-203/15) from 23 December 2016 firmly concludes that EU law precludes "national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication."

2. In the McFadden case, the CJEU stated that a judge can order an hotspot to be protected by a password and that users are required to reveal their identity in order to obtain the required password when it is necessary to prevent copyright infringements. However, such an order would be disproportionate in many cases - the retained data would not be limited to targeted individuals - and inefficient since the hotspot provider has no legal power to require users to reveal their official identity.

4. The Regulation mentions only SMEs, but these are defined in EU law as "entit[ies] engaged in an economic activity, irrespective of its legal form." The notion can therefore include many non-profits that already work at the local level to provide flexible and affordable Internet access. See: http://ec.europa.eu/DocsRoom/documents/15582/attachments/1/translations